Existing methods struggle to detect covert malicious activities masquerading as legitimate traffic—such as HTTPS—when trained solely on normal network data. This work proposes a novel paradigm that models network traffic as an attributed communication graph and employs graph neural networks to reconstruct edge semantics while capturing local topological structures. By leveraging structural consistency, the approach identifies anomalous communications and hosts without requiring any attack samples, effectively uncovering sparse and context-dependent suspicious behaviors. Anomaly scores are further calibrated using Median Absolute Deviation (MAD). Evaluated on the CICIDS2017 dataset, the method achieves a ROC-AUC of 0.9753 and a true positive rate of 0.8569 at a 5% false positive rate, significantly outperforming current unsupervised detection approaches.

Detecting stealthy malicious communications from flow logs under benign-only training remains a critical challenge in network security. Malicious communications often camouflage as normal traffic like standard HTTPS flows. Conventional intrusion detectors rely strictly on known labeled attacks. Alternatively, they score flows completely independently. These approaches fail against sparse and context-dependent suspicious activity. To capture this essential context, graph anomaly detectors have been introduced to add valuable relational information to the analysis. However, existing methods fail to test the structural consistency of specific communication edges. To overcome these fundamental limitations, we present GESR, a novel graph-based framework for detecting suspicious communications and anomalous hosts under a benign-only training setting. GESR models complex network activity as attributed communication graphs. It cleverly reconstructs edge semantics entirely from local structural context rather than isolated features. This non-intuitive design forces the framework to predict expected communication patterns from neighborhood topologies. Attackers cannot easily manipulate this deep structural dependency. The model then converts the resulting structural inconsistencies into host-level anomaly scores. It utilizes robust Median Absolute Deviation (MAD) calibration for this final step. We evaluate GESR extensively on CTU-13 and CICIDS2017 datasets. These evaluations strictly impose tight false-positive operating constraints. On CICIDS2017, GESR achieves an outstanding ROC-AUC of 0.9753. It also yields a high TPR of 0.8569 at a strict 5% FPR threshold. GESR consistently outperforms existing methods across both evaluated benchmarks. The results prove that structure-conditioned edge reconstruction is a credible direction for practical intrusion detection.